On Thu, Aug 13, 2015 at 11:04:42AM +0200, Petr Vobornik wrote: > On 08/13/2015 05:28 AM, Fraser Tweedale wrote: > >On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote: > >>usercertificate attr was moved from "System Modify Users" to this > >>new permission. > >> > >>https://fedorahosted.org/freeipa/ticket/5177 > >> > >>Note: hosts have permission "System: Manage Host Certificates", services > >>don't have it but usercertificate is in "System: Modify Services". I would > >>move it as well if usercertificate was not the only attr in "System: Modify > >>Services". > >> > >New permission works as expected. > > > >What are the implications of removing userCertificate attribute from > >"Modify Users" ACI? Users could be relying on it given that there > >is (until now) no more fine-grained permission. > > I'm not sure what is the expected ACI upgrade behavior but applying this > patch on installed server and running ipa-server-upgrade ends with > userCertificate still in "System: Modify Users" permission - it eliminates > your worry. The rest of users who still run IPA < 4.2 won't even notice. > Ah, I see.
This raises a different problem: different ACIs on different deployments, depending on when IPA was installed. Unless I am misunderstanding something, isn't that an undesirable situation? Thanks, Fraser > > > >Perhaps we should > > > >a) use update script to add the new permission to any roles that > > have the Modify Users permission, or > >b) not remove the userCertificate attribute from the ACI, or > >c) deem this change acceptable and leave the patch as-is, in which > > case: ACK > > > >Cheers, > >Fraser > > > -- > Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
